Introduction - Microsoft



[MS-ICPR]: ICertPassage Remote ProtocolIntellectual Property Rights Notice for Open Specifications DocumentationTechnical Documentation. Microsoft publishes Open Specifications documentation for protocols, file formats, languages, standards as well as overviews of the interaction among each of these technologies. Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you may make copies of it in order to develop implementations of the technologies described in the Open Specifications and may distribute portions of it in your implementations using these technologies or your documentation as necessary to properly document the implementation. You may also distribute in your implementation, with or without modification, any schema, IDL's, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications. No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation. Patents. Microsoft has patents that may cover your implementations of the technologies described in the Open Specifications. Neither this notice nor Microsoft's delivery of the documentation grants any licenses under those or any other Microsoft patents. However, a given Open Specification may be covered by Microsoft Open Specification Promise or the Community Promise. If you would prefer a written license, or if the technologies described in the Open Specifications are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting iplg@. Trademarks. The names of companies and products contained in this documentation may be covered by trademarks or similar intellectual property rights. This notice does not grant any licenses under those rights. For a list of Microsoft trademarks, visit trademarks. Fictitious Names. The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in this documentation are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred.Reservation of Rights. All other rights are reserved, and this notice does not grant any rights other than specifically described above, whether by implication, estoppel, or otherwise. Tools. The Open Specifications do not require the use of Microsoft programming tools or programming environments in order for you to develop an implementation. If you have access to Microsoft programming tools and environments you are free to take advantage of them. Certain Open Specifications are intended for use in conjunction with publicly available standard specifications and network programming art, and assumes that the reader either is familiar with the aforementioned material or has immediate access to it.Revision SummaryDateRevision HistoryRevision ClassComments3/2/20071.0Version 1.0 release4/3/20071.1Version 1.1 release5/11/20071.2Version 1.2 release6/1/20071.2.1EditorialChanged language and formatting in the technical content.7/3/20071.2.2EditorialChanged language and formatting in the technical content.8/10/20072.0MajorIDL was updated.9/28/20072.0.1EditorialChanged language and formatting in the technical content.10/23/20073.0MajorConverted document to unified format and updated technical content.1/25/20083.0.1EditorialChanged language and formatting in the technical content.3/14/20083.0.2EditorialChanged language and formatting in the technical content.6/20/20084.0MajorUpdated and revised the technical content.7/25/20084.0.1EditorialChanged language and formatting in the technical content.8/29/20084.0.2EditorialFix capitalization issues.10/24/20084.0.3EditorialChanged language and formatting in the technical content.12/5/20084.0.4EditorialEditorial Update.1/16/20094.0.5EditorialChanged language and formatting in the technical content.2/27/20094.0.6EditorialChanged language and formatting in the technical content.4/10/20095.0MajorUpdated and revised the technical content.5/22/20095.0.1EditorialChanged language and formatting in the technical content.7/2/20096.0MajorUpdated and revised the technical content.8/14/20096.0.1EditorialChanged language and formatting in the technical content.9/25/20096.1MinorClarified the meaning of the technical content.11/6/20096.1.1EditorialChanged language and formatting in the technical content.12/18/20096.1.2EditorialChanged language and formatting in the technical content.1/29/20107.0MajorUpdated and revised the technical content.3/12/20108.0MajorUpdated and revised the technical content.4/23/20109.0MajorUpdated and revised the technical content.6/4/201010.0MajorUpdated and revised the technical content.7/16/201011.0MajorUpdated and revised the technical content.8/27/201012.0MajorUpdated and revised the technical content.10/8/201012.1MinorClarified the meaning of the technical content.11/19/201013.0MajorUpdated and revised the technical content.1/7/201113.0NoneNo changes to the meaning, language, or formatting of the technical content.2/11/201113.0NoneNo changes to the meaning, language, or formatting of the technical content.3/25/201114.0MajorUpdated and revised the technical content.5/6/201114.0NoneNo changes to the meaning, language, or formatting of the technical content.6/17/201114.1MinorClarified the meaning of the technical content.9/23/201115.0MajorUpdated and revised the technical content.12/16/201116.0MajorUpdated and revised the technical content.3/30/201216.0NoneNo changes to the meaning, language, or formatting of the technical content.7/12/201216.1MinorClarified the meaning of the technical content.10/25/201216.1NoneNo changes to the meaning, language, or formatting of the technical content.1/31/201316.1NoneNo changes to the meaning, language, or formatting of the technical content.8/8/201317.0MajorUpdated and revised the technical content.11/14/201317.0NoneNo changes to the meaning, language, or formatting of the technical content.2/13/201417.0NoneNo changes to the meaning, language, or formatting of the technical content.5/15/201417.0NoneNo changes to the meaning, language, or formatting of the technical content.6/30/201518.0MajorSignificantly changed the technical content.Table of ContentsTOC \o "1-9" \h \z1Introduction PAGEREF _Toc423369562 \h 51.1Glossary PAGEREF _Toc423369563 \h 51.2References PAGEREF _Toc423369564 \h 61.2.1Normative References PAGEREF _Toc423369565 \h 71.2.2Informative References PAGEREF _Toc423369566 \h 71.3Overview PAGEREF _Toc423369567 \h 81.4Relationship to Other Protocols PAGEREF _Toc423369568 \h 81.5Prerequisites and Preconditions PAGEREF _Toc423369569 \h 81.6Applicability Statement PAGEREF _Toc423369570 \h 81.7Versioning and Capability Negotiation PAGEREF _Toc423369571 \h 81.8Vendor-Extensible Fields PAGEREF _Toc423369572 \h 91.9Standards Assignments PAGEREF _Toc423369573 \h 92Messages PAGEREF _Toc423369574 \h 102.1Transport PAGEREF _Toc423369575 \h 102.2Common Data Types PAGEREF _Toc423369576 \h 102.2.1Request Format PAGEREF _Toc423369577 \h 102.2.2Response Format PAGEREF _Toc423369578 \h 103Protocol Details PAGEREF _Toc423369579 \h 113.1ICertPassage Client Details PAGEREF _Toc423369580 \h 113.1.1Abstract Data Model PAGEREF _Toc423369581 \h 113.1.2Timers PAGEREF _Toc423369582 \h 113.1.3Initialization PAGEREF _Toc423369583 \h 113.1.4Message Processing and Sequencing Rules PAGEREF _Toc423369584 \h 113.1.4.1Processing ICertPassage:: CertServerRequest PAGEREF _Toc423369585 \h 113.1.5Timer Events PAGEREF _Toc423369586 \h 113.1.6Other Local Events PAGEREF _Toc423369587 \h 113.2ICertPassage Server Details PAGEREF _Toc423369588 \h 113.2.1Abstract Data Model PAGEREF _Toc423369589 \h 113.2.2Timers PAGEREF _Toc423369590 \h 123.2.3Initialization PAGEREF _Toc423369591 \h 123.2.4Message Processing and Sequencing Rules PAGEREF _Toc423369592 \h 123.2.4.1ICertPassage Interface PAGEREF _Toc423369593 \h 123.2.4.1.1CertServerRequest (Opnum 0) PAGEREF _Toc423369594 \h 123.2.5Timer Events PAGEREF _Toc423369595 \h 143.2.6Other Local Events PAGEREF _Toc423369596 \h 144Protocol Examples PAGEREF _Toc423369597 \h 155Security PAGEREF _Toc423369598 \h 165.1Security Considerations for Implementers PAGEREF _Toc423369599 \h 165.2Index of Security Parameters PAGEREF _Toc423369600 \h 166Appendix A: Full IDL PAGEREF _Toc423369601 \h 177Appendix B: Product Behavior PAGEREF _Toc423369602 \h 188Change Tracking PAGEREF _Toc423369603 \h 209Index PAGEREF _Toc423369604 \h 22Introduction XE "Introduction" XE "Introduction"This document specifies the ICertPassage Remote Protocol. This protocol is a subset of the Windows Client Certificate Enrollment Protocol, as specified in [MS-WCCE]. The difference between this protocol and the Windows Client Certificate Enrollment Protocol is that this protocol only allows the client to enroll certificates, whereas the Windows Client Certificate Enrollment Protocol provides enrollment and additional functionality, such as the capability to read certification authority (CA) data and configuration information. Reading and understanding the Windows Client Certificate Enrollment Protocol, as specified in [MS-WCCE], is essential to understanding the ICertPassage Remote Protocol.Sections 1.8, 2, and 3 of this specification are normative and can contain the terms MAY, SHOULD, MUST, MUST NOT, and SHOULD NOT as defined in [RFC2119]. Sections 1.5 and 1.9 are also normative but do not contain those terms. All other sections and examples in this specification are informative.Glossary XE "Glossary" The following terms are specific to this document:Active Directory: A general-purpose network directory service. Active Directory also refers to the Windows implementation of a directory service. Active Directory stores information about a variety of objects in the network. Importantly, user accounts, computer accounts, groups, and all related credential information used by the Windows implementation of Kerberos are stored in Active Directory. Active Directory is either deployed as Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS). [MS-ADTS] describes both forms. For more information, see [MS-AUTHSOD] section 1.1.1.5.2, Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Kerberos, and DNS.certificate: A certificate is a collection of attributes (1) and extensions that can be stored persistently. The set of attributes in a certificate can vary depending on the intended usage of the certificate. A certificate securely binds a public key to the entity that holds the corresponding private key. A certificate is commonly used for authentication (2) and secure exchange of information on open networks, such as the Internet, extranets, and intranets. Certificates are digitally signed by the issuing certification authority (CA) and can be issued for a user, a computer, or a service. The most widely accepted format for certificates is defined by the ITU-T X.509 version 3 international standards. For more information about attributes and extensions, see [RFC3280] and [X509] sections 7 and 8.certification authority (CA): A third party that issues public key certificates. Certificates serve to bind public keys to a user identity. Each user and certification authority (CA) can decide whether to trust another user or CA for a specific purpose, and whether this trust should be transitive. For more information, see [RFC3280].client: A computer on which the remote procedure call (RPC) client is executing.digital signature: A message authenticator that is typically derived from a cryptographic operation by using an asymmetric algorithm and private key. When a symmetric algorithm is used for this purpose, the authenticator is typically referred to as a Message Authentication Code (MAC).Distributed Component Object Model (DCOM): The Microsoft Component Object Model (COM) specification that defines how components communicate over networks, as specified in [MS-DCOM].dynamic endpoint: A network-specific server address that is requested and assigned at run time. For more information, see [C706].endpoint: A network-specific address of a remote procedure call (RPC) server process for remote procedure calls. The actual name and type of the endpoint depends on the RPC protocol sequence that is being used. For example, for RPC over TCP (RPC Protocol Sequence ncacn_ip_tcp), an endpoint might be TCP port 1025. For RPC over Server Message Block (RPC Protocol Sequence ncacn_np), an endpoint might be the name of a named pipe. For more information, see [C706].endpoint mapper: A service on a remote procedure call (RPC) server that maintains a database of dynamic endpoints and allows clients to map an interface/object UUID pair to a local dynamic endpoint. For more information, see [C706].enroll/enrollment: See certification.private key: One of a pair of keys used in public-key cryptography. The private key is kept secret and is used to decrypt data that has been encrypted with the corresponding public key. For an introduction to this concept, see [CRYPTO] section 1.8 and [IEEE1363] section 3.1.public key: One of a pair of keys used in public-key cryptography. The public key is distributed freely and published as part of a digital certificate. For an introduction to this concept, see [CRYPTO] section 1.8 and [IEEE1363] section 3.1.public-private key pair: The association of a public key and its corresponding private key when used in cryptography. For an introduction to public-private key pairs, see [IEEE1363] section 3.remote procedure call (RPC): A context-dependent term commonly overloaded with three meanings. Note that much of the industry literature concerning RPC technologies uses this term interchangeably for any of the three meanings. Following are the three definitions: (*) The runtime environment providing remote procedure call facilities. The preferred usage for this meaning is "RPC runtime". (*) The pattern of request and response message exchange between two parties (typically, a client and a server). The preferred usage for this meaning is "RPC exchange". (*) A single message from an exchange as defined in the previous definition. The preferred usage for this term is "RPC message". For more information about RPC, see [C706].RPC endpoint: A network-specific address of a server process for remote procedure calls (RPCs). The actual name of the RPC endpoint depends on the RPC protocol sequence being used. For example, for the NCACN_IP_TCP RPC protocol sequence an RPC endpoint might be TCP port 1025. For more information, see [C706].server: A computer on which the remote procedure call (RPC) server is executing.universally unique identifier (UUID): A 128-bit value. UUIDs can be used for multiple purposes, from tagging objects with an extremely short lifetime, to reliably identifying very persistent objects in cross-process communication such as client and server interfaces, manager entry-point vectors, and RPC objects. UUIDs are highly likely to be unique. UUIDs are also known as globally unique identifiers (GUIDs) and these terms are used interchangeably in the Microsoft protocol technical documents (TDs). Interchanging the usage of these terms does not imply or require a specific algorithm or mechanism to generate the UUID. Specifically, the use of this term does not imply or require that the algorithms described in [RFC4122] or [C706] must be used for generating the UUID.well-known endpoint: A preassigned, network-specific, stable address for a particular client/server instance. For more information, see [C706].MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as defined in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.References XE "References" Links to a document in the Microsoft Open Specifications library point to the correct section in the most recently published version of the referenced document. However, because individual documents in the library are not updated at the same time, the section numbers in the documents may not match. You can confirm the correct section numbering by checking the Errata. Normative References XE "References:normative" XE "Normative references" We conduct frequent surveys of the normative references to assure their continued availability. If you have any issue with finding a normative reference, please contact dochelp@. We will assist you in finding the relevant information. [C706] The Open Group, "DCE 1.1: Remote Procedure Call", C706, August 1997, [MS-CRTD] Microsoft Corporation, "Certificate Templates Structure".[MS-CSRA] Microsoft Corporation, "Certificate Services Remote Administration Protocol".[MS-DCOM] Microsoft Corporation, "Distributed Component Object Model (DCOM) Remote Protocol".[MS-DTYP] Microsoft Corporation, "Windows Data Types".[MS-RPCE] Microsoft Corporation, "Remote Procedure Call Protocol Extensions".[MS-WCCE] Microsoft Corporation, "Windows Client Certificate Enrollment Protocol".[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, [RFC2797] Myers, M., Liu, X., Schaad, J., and Weinstein, J., "Certificate Management Messages Over CMS", RFC 2797, April 2000, [RFC2986] Nystrom, M. and Kaliski, B., "PKCS#10: Certificate Request Syntax Specification", RFC 2986, November 2000, [RFC3280] Housley, R., Polk, W., Ford, W., and Solo, D., "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002, [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3852, July 2004, [UNICODE4.0] The Unicode Consortium, "Unicode 4.0.0", [X509] ITU-T, "Information Technology - Open Systems Interconnection - The Directory: Public-Key and Attribute Certificate Frameworks", Recommendation X.509, August 2005, [X660] ITU-T, "Information Technology - Open Systems Interconnection - Procedures for the Operation of OSI Registration Authorities: General Procedures and Top Arcs of the ASN.1 Object Identifier Tree", Recommendation X.660, August 2004, [X690] ITU-T, "Information Technology - ASN.1 Encoding Rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)", Recommendation X.690, July 2002, References XE "References:informative" XE "Informative references" None.Overview XE "Overview (synopsis)" XE "Overview"The ICertPassage Remote Protocol exposes a Remote Procedure Call (RPC) (as specified in [MS-RPCE]) interface that allows a client to interact with a certification authority (CA) to request and receive X.509 certificates (as specified in [X509]) from the CA. The ICertPassage Remote Protocol only provides certificate enrollment functionality. The Windows Client Certificate Enrollment Protocol (as specified in [MS-WCCE]) provides a larger set of functionality, including reading CA data and configuration information. The certificate enrollment process and protocol overview are as specified in [MS-WCCE] section 1.3.The ICertPassage interface defines one method: CertServerRequest?(section?3.2.4.1.1).Relationship to Other Protocols XE "Relationship to other protocols" XE "Relationship to other protocols"The ICertPassage Remote Protocol depends on the Remote Procedure Call Protocol Extensions, as specified in [MS-RPCE]. No other Windows protocol depends on the ICertPassage Remote Protocol. The following diagram shows the layering of the protocol stack.Figure 1: ICRP Protocol StackThe ICertPassage Remote Protocol shares ADM elements with Windows Client Certificate Enrollment Protocol [MS-WCCE] as specified in section 3.1.1 and section 3.2.1. The ICertPassage Remote Protocol, the Certificate Services Remote Administration Protocol, and the Windows Client Certificate Enrollment Protocol use a common list of configuration data elements, defined in [MS-WCCE] section 3.2.1.1.4.Prerequisites and Preconditions XE "Preconditions" XE "Prerequisites"The ICertPassage Remote Protocol has the same prerequisites as the Windows Client Certificate Enrollment Protocol, as specified in [MS-WCCE] section 1.5.ICertPassage Remote Protocol server implementations that also implement the Certificate Services Remote Administration Protocol specified in [MS-CSRA] or the Windows Client Certificate Enrollment Protocol specified in [MS-WCCE] use the same configuration data elements, defined in [MS-WCCE] section 3.2.1.1.4 as "public", for those implementations.Applicability Statement XE "Applicability" XE "Applicability"This protocol applies to legacy clients that must use RPC (as specified in [MS-RPCE]) to interact with a CA for the purpose of enrolling or managing X.509 (as specified in [X509]) certificates.If clients can interact with the CA through Distributed Component Object Model (DCOM) (as specified in [MS-DCOM]) interfaces, they should use the Windows Client Certificate Enrollment Protocol, as specified in [MS-WCCE].Versioning and Capability Negotiation XE "Versioning" XE "Capability negotiation" XE "Capability negotiation" XE "Versioning"Version and capability negotiation is not provided in this protocol. HYPERLINK \l "Appendix_A_1" \h <1>Vendor-Extensible Fields XE "Vendor-extensible fields" XE "Fields - vendor-extensible" XE "Fields - vendor-extensible" XE "Vendor-extensible fields"None.Standards Assignments XE "Standards assignments" XE "Standards assignments"None.Messages XE "Messages:overview"The following sections specify how ICertPassage Remote Protocol messages are transported and ICertPassage Remote Protocol message syntax.Transport XE "Messages:transport" XE "Transport" XE "Transport" XE "Messages:transport"This protocol uses the following RPC protocol sequence: RPC over named pipe and RPC over TCP/IP, as specified in [MS-RPCE].The endpoint pipe name for RPC over named pipe, as specified in [MS-RPCE], is \PIPE\cert. This endpoint is used for the authenticated RPC interface. The authenticated RPC interface allows RPC to negotiate the use of authentication and the authentication level on behalf of the client and server, as specified in [MS-RPCE]. In the case of using RPC over TCP, this protocol uses RPC dynamic endpoints as defined in Part 4 of [C706]. For more information, see Client Initialization?(section?3.1.3) and Server Initialization?(section?3.2.3).This protocol MUST use the universal unique identifier (UUID), as specified in section 3.2.4.mon Data Types XE "Messages:common data types" XE "Common data types" XE "Data types:common - overview" XE "Data types:common - overview" XE "Common data types" XE "Messages:common data types" The ICertPassage interface uses the CERTTRANSBLOB structure, as specified in [MS-WCCE] section 2.2.2.2.This protocol specification makes use of the BYTE, wchar_t, and DWORD datatypes defined in [MS-DTYP] sections 2.2.6, 2.1.6, and 2.2.9.Request Format XE "Data types:request format" XE "Request format data type" XE "Messages:request format data type"The ICertPassage Remote Protocol is a simple request-response pattern between the client and the server. The client MUST send the certificate request using one of the following ASN.1 DER encoded message formats:PKCS #10 as specified in [RFC2986].Cryptographic Message Syntax (CMS) as specified in [RFC3852].Certificate Management Messages over CMS (CMC) as specified in [RFC2797].Details are as specified in [MS-WCCE] section 2.2.2.6. Each format contains a set of attributes and extensions describing the request. HYPERLINK \l "Appendix_A_2" \h <2>Response Format XE "Data types:response format" XE "Response format data type" XE "Messages:response format data type"Responses are returned by the ICertPassage Remote Protocol in either CMS format or CMC format. Details are as specified in [MS-WCCE] section 2.2.2.8. The format of the response is determined by the value passed in the dwFlags parameter, as specified in section 3.1.4.1.Protocol Details XE "Protocol Details:overview" The ICertPassage Remote Protocol is a simple request-response protocol. The client sends a certificate request, and the server responds with a signed certificate or a detailed disposition message. In almost all cases, the protocol is a single message followed by a single reply. Details on the flow and sequencing of the certificate enrollment protocol are as specified in [MS-WCCE] section 3. ICertPassage Client Details XE "Client:overview" XE "Client:icertpassage interface" XE "Interfaces - client:icertpassage" XE "icertpassage interface" XE "Client:overview"Details of the client role are exactly as specified in [MS-WCCE] section 3.1.Abstract Data Model XE "Client:abstract data model" XE "Abstract data model:client" XE "Data model - abstract:client" XE "Data model - abstract:client" XE "Abstract data model:client" XE "Client:abstract data model" The client abstract data model is as specified in the abstract data model subsections of the [MS-WCCE] section 3.1.Timers XE "Client:timers" XE "Timers:client" XE "Timers:client" XE "Client:timers"None.Initialization XE "Client:initialization" XE "Initialization:client" XE "Initialization:client" XE "Client:initialization"The client creates an RPC association (or binding) to the server RPC endpoint (as specified in section 2.1) when an RPC method is called. The client SHOULD create a separate association for each method invocation, or it MAY reuse an association for multiple invocations.The client SHOULD create an authenticated RPC association with the highest possible authentication level. RPC authentication levels are as specified in [MS-RPCE]. HYPERLINK \l "Appendix_A_3" \h <3> Because the RPC server endpoint is dynamic, the client MUST use the RPC endpoint mapper services (as specified in [MS-RPCE] section 2.2.1.2) to locate the endpoint at which the server is registered.Message Processing and Sequencing Rules XE "Sequencing rules:client" XE "Message processing:client" XE "Client:sequencing rules" XE "Client:message processing"Processing ICertPassage:: CertServerRequest XE "Client:processing ICertPassage\:\: CertServerRequest"Details of the client processing rules are exactly as specified in [MS-WCCE] section 3.1.1.4.3.Timer Events XE "Client:timer events" XE "Timer events:client" XE "Events:timer - client" XE "Events:timer:client" XE "Timer events:client" XE "Client:timer events"None.Other Local Events XE "Client:local events" XE "Local events:client" XE "Events:local - client" XE "Events:local:client" XE "Local events:client" XE "Client:local events"The ICertPassage interface CertServerRequest method is invoked to obtain certificates whenever they are required by the client. ICertPassage Server Details XE "Server:overview" XE "Server:icertpassage interface" XE "Interfaces - server:icertpassage" XE "icertpassage interface" XE "Server:overview"Details of the server processing rules are exactly as specified in [MS-WCCE] section 3.2.Abstract Data Model XE "Server:abstract data model" XE "Abstract data model:server" XE "Data model - abstract:server" XE "Data model - abstract:server" XE "Abstract data model:server" XE "Server:abstract data model"As specified in [MS-WCCE] section 3.2.1.1.ICertPassage Remote Protocol server implementations that also implement the Certificate Services Remote Administration Protocol specified in [MS-CSRA] or the Windows Client Certificate Enrollment Protocol specified in [MS-WCCE] use the same configuration data elements, defined in [MS-WCCE] section 3.2.1.1.4 as "public", for those implementations. If either Certificate Services Remote Administration Protocol or Windows Client Certificate Enrollment Protocol or both are also implemented, access to the configuration data elements from either or both of these protocols SHOULD be serialized.Timers XE "Server:timers" XE "Timers:server" XE "Timers:server" XE "Server:timers"None.Initialization XE "Server:initialization" XE "Initialization:server" XE "Initialization:server" XE "Server:initialization"Interface initialization: The CA MUST listen on the well-known endpoint specified for this RPC interface for the RPC over named pipes binding. The CA also MUST register with the RPC endpoint mapper service for the TCP over RPC binding (as specified in [MS-RPCE] section 2.2.1.2). Details are as specified in section 2.1. Cryptographic initialization: The CA SHOULD obtain the certificates, the signing private key, and the exchange private key. The CA also MUST validate the CA signing certificates and its chain. The validation is based on chain validation, as specified in [RFC3280] section 6. HYPERLINK \l "Appendix_A_4" \h <4>Message Processing and Sequencing Rules XE "Sequencing rules:server" XE "Message processing:server" XE "Server:sequencing rules" XE "Server:message processing"The ICertPassage Remote Protocol defines the following interface:ICertPassage (section 3.2.4.1): A method that enables a client to request certificates from a certification authority.ICertPassage InterfaceThe ICertPassage RPC interface permits the client to submit a certificate enrollment request to the CA and receive a signed X.509 certificate (as specified in [X509]) as the response.The version number for this interface is 0.0. The UUID for this interface is 91ae6020-9e3c-11cf-8d7c-00aa00c091be, as specified in [MS-RPCE]. HYPERLINK \l "Appendix_A_5" \h <5>The interface defines a single method.Methods in RPC Opnum OrderMethodDescriptionCertServerRequestOpnum: 0CertServerRequest (Opnum 0) XE "CertServerRequest method"The CertServerRequest method processes a certificate enrollment request from the client. HYPERLINK \l "Appendix_A_6" \h <6>DWORD?CertServerRequest(??[in] const handle_t?h,??[in] DWORD?dwFlags,??[in,?string,?unique] const wchar_t*?pwszAuthority,??[in,?out,?ref] DWORD*?pdwRequestId,??[out] DWORD*?pdwDisposition,??[in,?ref] const CERTTRANSBLOB*?pctbAttribs,??[in,?ref] const CERTTRANSBLOB*?pctbRequest,??[out,?ref] CERTTRANSBLOB*?pctbCert,??[out,?ref] CERTTRANSBLOB*?pctbEncodedCert,??[out,?ref] CERTTRANSBLOB*?pctbDispositionMessage);h: A handle retrieved during the RPC bind operation, as specified in [MS-RPCE] section 2.2.2.dwFlags: The dwFlags parameter has identical syntax and semantics to the dwFlags parameter specified in [MS-WCCE] section 3.2.1.4.2.1.pwszAuthority: The pwszAuthority parameter has identical syntax and semantics to the pwszAuthority parameter specified in [MS-WCCE] section 3.2.1.4.2.1.pdwRequestId: The pdwRequestId parameter has identical syntax and semantics to the pdwRequestId parameter specified in [MS-WCCE] section 3.2.1.4.2.1.pdwDisposition: The pdwDisposition parameter has identical syntax and semantics to the pdwDisposition parameter specified in [MS-WCCE] section 3.2.1.4.2.1.pctbAttribs: A pointer to a CERTTRANSBLOB structure, as specified in [MS-WCCE] section 2.2.2.2, where the pb field of this structure points to a Unicode (as specified in [UNICODE4.0]) null-terminated string and the cb field contains the length of the string, including the NULL-terminated character (in bytes). If the value of the cb field doesn’t match the length, in bytes, of the string (including the terminating null character), the CA MUST return the E_INVALIDARG error (0x80070057) to the client. Otherwise, the semantics of the string pointed to by the pb field are identical to the pwszAttributes parameter specified in [MS-WCCE] section 3.2.1.4.2.1.pctbRequest: The pctbRequest parameter has identical syntax and semantics to the pctbRequest parameter, as specified in [MS-WCCE] section 3.2.1.4.2.1.pctbCert: The pctbCert parameter has identical syntax and semantics to the pctbCertChain parameter, as specified in [MS-WCCE] section 3.2.1.4.2.1.pctbEncodedCert: The pctbEncodedCert parameter has identical syntax and semantics to the pctbEncodedCert parameter, as specified in [MS-WCCE] section 3.2.1.4.2.1.pctbDispositionMessage: The pctbDispositionMessage parameter has identical syntax and semantics to the pctbDispositionMessage parameter, as specified in [MS-WCCE] section 3.2.1.4.2.1.Return Values: The method MUST return ERROR_SUCCESS (0x00000000) on success. This method's return values MUST have identical syntax and semantics to the return values specified in [MS-WCCE] section 3.2.1.4.2.1.If the ADM element Config.CA.Interface.Flags contains the value IF_NORPCICERTREQUEST, the server SHOULD return an error. HYPERLINK \l "Appendix_A_7" \h <7>If the ADM element Config.CA.Interface.Flags contains the value IF_ENFORCEENCRYPTICERTREQUEST and the RPC_C_AUTHN_LEVEL_PKT_PRIVACY authentication level ([MS-RPCE] section 2.2.1.1.8) is not specified on the RPC connection from the client, the CA MUST refuse to establish a connection with the client by returning E_ACCESSDENIED (0x80000009).Otherwise, the processing rules for the ICertRequestD::Request method ([MS-WCCE] section 3.2.2.6.2.1) apply, except that if the ADM element Config.CA.Interface.Flags contains the value IF_NOREMOTEICERTREQUEST, these values are ignored and the request is processed as though the values were absent.Timer Events XE "Server:timer events" XE "Timer events:server" XE "Events:timer - server" XE "Events:timer:server" XE "Timer events:server" XE "Server:timer events"None.Other Local Events XE "Server:local events" XE "Local events:server" XE "Events:local - server" XE "Events:local:server" XE "Local events:server" XE "Server:local events"None.Protocol Examples XE "Examples:overview" XE "Examples" A client is typically configured in such a manner that it is able to determine when it requires a certificate. A common scenario is that a user has been instructed to enroll for a certificate that will allow use of a security-enhanced wireless network. After the user invokes the enrollment process, the following sequence of events occurs:The enrollment client queries Active Directory (AD) for the templates (as specified in [MS-CRTD]) that are available for the specified user. As the resource manager, AD enforces that the user only receives templates that the user has read permissions to access (as specified in [MS-WCCE] section 2.2.2.11).The user selects the template with cn = Client Authentication (as specified in [MS-CRTD] section 2.1). This template includes the client authentication (OID = 1.3.6.1.5.5.7.3.2) as part of its pkiExtendedKeyUsage attribute (as specified in [MS-CRTD] section 2.12).The client then generates a public-private key pair and constructs the CMS as specified in [RFC3852] request message (as specified in section 2.2.1), which:Includes a public key. Includes a template name (that is, Client Authentication) as a request attribute.Is signed by the private key, as specified in [RFC3852].The client creates an RPC connection with the CA. See section 3.1.3.Using the connection previously mentioned, the client invokes the ICertPassage::CertServerRequest() method (see section 3.2.4.1.1) and, as a result, submits the CMS certificate request constructed in step 3.The CA receives the certificate request from the client. The CA validates the CMS message for digital signature validity and ASN.1 structure accuracy (as specified in [X660] and [X690]). The CA constructs a certificate based on the public key provided, the request attributes and extensions, and the template information.The CA signs the certificate with the CA private key and returns the newly created certificate to the caller in the pctbEncodedCert as an out parameter.SecuritySecurity Considerations for Implementers XE "Security:implementer considerations" XE "Implementer - security considerations" XE "Implementer - security considerations" XE "Security:implementer considerations"Security considerations for implementation of this protocol are as specified in [MS-WCCE] section 5.Index of Security Parameters XE "Security:parameter index" XE "Index of security parameters" XE "Parameters - security index" XE "Parameters - security index" XE "Index of security parameters" XE "Security:parameter index"Security parameterSectionAuthenticated RPC associationInitialization?(section?3.1.3)Cryptographic initializationInitialization?(section?3.2.3)Appendix A: Full IDL XE "IDL" XE "Full IDL" XE "IDL" XE "Full IDL"For ease of implementation, the full IDL is provided below, where "ms-dtyp.idl" is the IDL found in [MS-DTYP] Appendix A and "ms-wcce.idl" is the IDL found in [MS-WCCE] Appendix A.// Please refer to [MS-WCCE] for the definition of the // CERTTRANSBLOBimport "ms-wcce.idl";// basic type aliasestypedef byte BYTE;[ uuid(91ae6020-9e3c-11cf-8d7c-00aa00c091be), pointer_default(unique)]interface ICertPassage{ DWORD CertServerRequest([in] handle_t h,[in] DWORD dwFlags,[in, string, unique] const wchar_t *pwszAuthority,[in, out, ref] DWORD *pdwRequestId,[out] DWORD *pdwDisposition,[in, ref] const CERTTRANSBLOB *pctbAttribs,[in, ref] const CERTTRANSBLOB *pctbRequest,[out, ref] CERTTRANSBLOB *pctbCert,[out, ref] CERTTRANSBLOB *pctbEncodedCert,[out, ref] CERTTRANSBLOB *pctbDispositionMessage);}Appendix B: Product Behavior XE "Product behavior" The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include released service packs.Note: Some of the information in this section is subject to change because it applies to an unreleased, preliminary version of the Windows Server operating system, and thus may differ from the final version of the server software when released. All behavior notes that pertain to the unreleased, preliminary version of the Windows Server operating system contain specific references to Windows Server 2016 Technical Preview as an aid to the reader.Windows NT operating systemWindows 2000 operating systemWindows XP operating systemWindows Server 2003 operating systemWindows Vista operating systemWindows Server 2008 operating systemWindows 7 operating systemWindows Server 2008 R2 operating systemWindows 8 operating systemWindows Server 2012 operating systemWindows 8.1 operating systemWindows Server 2012 R2 operating systemWindows 10 operating systemWindows Server 2016 Technical Preview operating systemExceptions, if any, are noted below. If a service pack or Quick Fix Engineering (QFE) number appears with the product version, behavior changed in that service pack or QFE. The new behavior also applies to subsequent service packs of the product unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms SHOULD or SHOULD NOT implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term MAY implies that the product does not follow the prescription. HYPERLINK \l "Appendix_A_Target_1" \h <1> Section 1.7: The ICertPassage Interface is supported by all applicable Windows products. However, CMC (Certificate Management Protocol using CMS) request formats and CMC response formats are not supported by Windows NT or Windows 2000. CMC is specified in [RFC2797]. HYPERLINK \l "Appendix_A_Target_2" \h <2> Section 2.2.1: Windows NT and Windows 2000 do not support the CMC request format (as specified in [RFC2797]). HYPERLINK \l "Appendix_A_Target_3" \h <3> Section 3.1.3: For authenticated RPC, the client in Windows XP and all subsequent versions of Windows, according to the applicability list at the beginning of this section, passes RPC_C_AUTHN_GSS_NEGOTIATE and RPC_C_AUTHN_LEVEL_PKT_PRIVACY. The client in Windows 2000 Server operating system passes RPC_C_AUTHN_GSS_NEGOTIATE only to RPC. These values are used to allow RPC to negotiate the authentication level on behalf of the client with the server, as specified in [MS-RPCE]. HYPERLINK \l "Appendix_A_Target_4" \h <4> Section 3.2.3: The exchange private key was not used prior to Windows Server 2003. HYPERLINK \l "Appendix_A_Target_5" \h <5> Section 3.2.4.1: The supported clients are: Windows 2000 Professional operating systemWindows XPWindows VistaWindows 7Windows 8Windows 8.1Windows 10The supported servers are:Windows NT Server operating systemWindows 2000 ServerWindows Server 2003Windows Server 2008Windows Server 2008 R2Windows Server 2012Windows Server 2012 R2Windows Server 2016 Technical Preview HYPERLINK \l "Appendix_A_Target_6" \h <6> Section 3.2.4.1.1: The implementation of this method on Windows Server 2003 and all subsequent versions of Windows Server operating system, according to the applicability list at the beginning of this section, is identical to the ICertRequestD::Request method, as specified in [MS-WCCE] section 3.2.1.4.2.1. However, the implementation of this method on Windows 2000 Server has the following differences from the ICertRequestD::Request method. In ICertPassage on Windows 2000 Server:The format of the certificates request passed in the pctbRequest parameter MUST NOT be CMC, as specified in [RFC2797].Windows 2000 Server does not return or support issued certificates in the CMC format, as specified in [RFC2797]. HYPERLINK \l "Appendix_A_Target_7" \h <7> Section 3.2.4.1.1: In Windows Server 2003 and all subsequent versions of Windows Server, according to the applicability list at the beginning of this section, the error returned is RPC_S_SERVER_UNAVAILABLE (0x800706ba). Windows 2000 does not return an error.Change Tracking XE "Change tracking" XE "Tracking changes" This section identifies changes that were made to this document since the last release. Changes are classified as New, Major, Minor, Editorial, or No change. The revision class New means that a new document is being released.The revision class Major means that the technical content in the document was significantly revised. Major changes affect protocol interoperability or implementation. Examples of major changes are:A document revision that incorporates changes to interoperability requirements or functionality.The removal of a document from the documentation set.The revision class Minor means that the meaning of the technical content was clarified. Minor changes do not affect protocol interoperability or implementation. Examples of minor changes are updates to clarify ambiguity at the sentence, paragraph, or table level.The revision class Editorial means that the formatting in the technical content was changed. Editorial changes apply to grammatical, formatting, and style issues.The revision class No change means that no new technical changes were introduced. Minor editorial and formatting changes may have been made, but the technical content of the document is identical to the last released version.Major and minor changes can be described further using the following change types:New content added.Content updated.Content removed.New product behavior note added.Product behavior note updated.Product behavior note removed.New protocol syntax added.Protocol syntax updated.Protocol syntax removed.New content added due to protocol revision.Content updated due to protocol revision.Content removed due to protocol revision.New protocol syntax added due to protocol revision.Protocol syntax updated due to protocol revision.Protocol syntax removed due to protocol revision.Obsolete document removed.Editorial changes are always classified with the change type Editorially updated.Some important terms used in the change type descriptions are defined as follows:Protocol syntax refers to data elements (such as packets, structures, enumerations, and methods) as well as interfaces.Protocol revision refers to changes made to a protocol that affect the bits that are sent over the wire.The changes made to this document are listed in the following table. For more information, please contact dochelp@.SectionTracking number (if applicable) and descriptionMajor change (Y or N)Change type7 Appendix B: Product BehaviorUpdated the product applicability list and product behavior notes to include Windows 10.YContent update.7 Appendix B: Product BehaviorUpdated the product behavior notes to include the Windows Server 2016 Technical Preview operating system.YContent update.IndexAAbstract data model client PAGEREF section_945fa6c4878147418517f576d56ea50a11 server PAGEREF section_3b9ff8352fe34a06a706d025afbe58c911Applicability PAGEREF section_c56a7fae36d84171a1389e2c773032188CCapability negotiation PAGEREF section_fde54ffe62e1412b9926b146a7120a288CertServerRequest method PAGEREF section_0c6f150e3ead4006b37febbf9e2cf2e712Change tracking PAGEREF section_5c3f4c921fc64c2daf00c5d6a3d6a0e820Client abstract data model PAGEREF section_945fa6c4878147418517f576d56ea50a11 icertpassage interface PAGEREF section_ea7ebb8c2c2c42cea2af022d99ec996211 initialization PAGEREF section_ae80a9e6ca27426a911a027a31984b9f11 local events PAGEREF section_5eccb76b62d64f5dbd557ea64a693e9511 message processing PAGEREF section_be73952a3af8454bb19f750cec97c50311 overview PAGEREF section_ea7ebb8c2c2c42cea2af022d99ec996211 processing ICertPassage:: CertServerRequest PAGEREF section_e04b965fbf1f482b9e9e2d01c975714d11 sequencing rules PAGEREF section_be73952a3af8454bb19f750cec97c50311 timer events PAGEREF section_191f25ccef0945979c0a8f0d8aab373111 timers PAGEREF section_deb10fff4ac84bbc83091c07999ae42711Common data types PAGEREF section_901fb33ec81e4917a9471f6ad546275a10DData model - abstract client PAGEREF section_945fa6c4878147418517f576d56ea50a11 server PAGEREF section_3b9ff8352fe34a06a706d025afbe58c911Data types common - overview PAGEREF section_901fb33ec81e4917a9471f6ad546275a10 request format PAGEREF section_6bf658ba852349ed9306fd67eebdec3310 response format PAGEREF section_6cc18087c47c45eda9756fd90165866910EEvents local client PAGEREF section_5eccb76b62d64f5dbd557ea64a693e9511 server PAGEREF section_627e3eb0f23946388e6713e62ce9bab714 local - client PAGEREF section_5eccb76b62d64f5dbd557ea64a693e9511 local - server PAGEREF section_627e3eb0f23946388e6713e62ce9bab714 timer client PAGEREF section_191f25ccef0945979c0a8f0d8aab373111 server PAGEREF section_3a40c7f4f4234592abf9df808980793514 timer - client PAGEREF section_191f25ccef0945979c0a8f0d8aab373111 timer - server PAGEREF section_3a40c7f4f4234592abf9df808980793514Examples PAGEREF section_8db7cd8f62e44536af77c72dacbcf35c15 overview PAGEREF section_8db7cd8f62e44536af77c72dacbcf35c15FFields - vendor-extensible PAGEREF section_3b299ec17bb644c9850cea06201f188d9Full IDL PAGEREF section_5950cc59a9f7461ab928b1f631ac0d0a17GGlossary PAGEREF section_a34f6642512048dfba4ce6d671d7a5d05Iicertpassage interface (section 3.1 PAGEREF section_ea7ebb8c2c2c42cea2af022d99ec996211, section 3.2 PAGEREF section_05dec7674b6a4d12a101b5148431bbd111)IDL PAGEREF section_5950cc59a9f7461ab928b1f631ac0d0a17Implementer - security considerations PAGEREF section_e60105f2e723417da1a84c2eb9febacb16Index of security parameters PAGEREF section_01e575e2f7584cf3a0b8a3603b73b69916Informative references PAGEREF section_39e0d87dc5ae48678d951528a9946f4d7Initialization client PAGEREF section_ae80a9e6ca27426a911a027a31984b9f11 server PAGEREF section_b5c68eea219245c29c33540c122932e812Interfaces - client icertpassage PAGEREF section_ea7ebb8c2c2c42cea2af022d99ec996211Interfaces - server icertpassage PAGEREF section_05dec7674b6a4d12a101b5148431bbd111Introduction PAGEREF section_2e19db51dbea44b88992590c2afd0f3b5LLocal events client PAGEREF section_5eccb76b62d64f5dbd557ea64a693e9511 server PAGEREF section_627e3eb0f23946388e6713e62ce9bab714MMessage processing client PAGEREF section_be73952a3af8454bb19f750cec97c50311 server PAGEREF section_ce99584034bb449b8b0734ba53ccd56d12Messages common data types PAGEREF section_901fb33ec81e4917a9471f6ad546275a10 overview PAGEREF section_c6dd07f3c1be4ac88e86d3f2f1ed573210 request format data type PAGEREF section_6bf658ba852349ed9306fd67eebdec3310 response format data type PAGEREF section_6cc18087c47c45eda9756fd90165866910 transport PAGEREF section_9f0b251bc72248519a454e912660b45810NNormative references PAGEREF section_052822484381427299e8f35a57dc94fc7OOverview PAGEREF section_021b19a6a8ec47328c7670933bf53e948Overview (synopsis) PAGEREF section_021b19a6a8ec47328c7670933bf53e948PParameters - security index PAGEREF section_01e575e2f7584cf3a0b8a3603b73b69916Preconditions PAGEREF section_9b614b08ae7d45bd8127a069e85f1c478Prerequisites PAGEREF section_9b614b08ae7d45bd8127a069e85f1c478Product behavior PAGEREF section_e0df83f897ce4744bebc041ed3b1e80f18Protocol Details overview PAGEREF section_c1d50f79201b4e918e614ee14e25387111RReferences PAGEREF section_064df82fd04442dfb5542ffa3ac7a1a36 informative PAGEREF section_39e0d87dc5ae48678d951528a9946f4d7 normative PAGEREF section_052822484381427299e8f35a57dc94fc7Relationship to other protocols PAGEREF section_36c83ae40e454af58e0b4589629932ff8Request format data type PAGEREF section_6bf658ba852349ed9306fd67eebdec3310Response format data type PAGEREF section_6cc18087c47c45eda9756fd90165866910SSecurity implementer considerations PAGEREF section_e60105f2e723417da1a84c2eb9febacb16 parameter index PAGEREF section_01e575e2f7584cf3a0b8a3603b73b69916Sequencing rules client PAGEREF section_be73952a3af8454bb19f750cec97c50311 server PAGEREF section_ce99584034bb449b8b0734ba53ccd56d12Server abstract data model PAGEREF section_3b9ff8352fe34a06a706d025afbe58c911 icertpassage interface PAGEREF section_05dec7674b6a4d12a101b5148431bbd111 initialization PAGEREF section_b5c68eea219245c29c33540c122932e812 local events PAGEREF section_627e3eb0f23946388e6713e62ce9bab714 message processing PAGEREF section_ce99584034bb449b8b0734ba53ccd56d12 overview PAGEREF section_05dec7674b6a4d12a101b5148431bbd111 sequencing rules PAGEREF section_ce99584034bb449b8b0734ba53ccd56d12 timer events PAGEREF section_3a40c7f4f4234592abf9df808980793514 timers PAGEREF section_481cb6e02fa3464da3244e1288a8a1be12Standards assignments PAGEREF section_ee455a0073fb4edb85c8b7b1394e770f9TTimer events client PAGEREF section_191f25ccef0945979c0a8f0d8aab373111 server PAGEREF section_3a40c7f4f4234592abf9df808980793514Timers client PAGEREF section_deb10fff4ac84bbc83091c07999ae42711 server PAGEREF section_481cb6e02fa3464da3244e1288a8a1be12Tracking changes PAGEREF section_5c3f4c921fc64c2daf00c5d6a3d6a0e820Transport PAGEREF section_9f0b251bc72248519a454e912660b45810VVendor-extensible fields PAGEREF section_3b299ec17bb644c9850cea06201f188d9Versioning PAGEREF section_fde54ffe62e1412b9926b146a7120a288 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download